States Set to Regulate the Internet of Things (IoT)

Advertising Law

Beginning in January 2020, two states will begin regulating the Internet of Things (IoT).

California enacted its law last year, which applies to “any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an IP or Bluetooth address.”

The definition encompasses everything from thermostats to televisions to fitness trackers, refrigerators, automobiles, security cameras, and devices such as the Amazon Echo and Google Home.

Manufacturers of connected devices are required to implement “reasonable” security features that are appropriate to the nature and function of the device; appropriate to the information collected by, contained in or transmitted by the device; and designed to protect the device and information it contains from unauthorized access, destruction, use, modification or disclosure.

The new law also mandates that each connected device must be equipped with a password to authenticate the user before she is granted access to the device for the first time. The password can be either a unique preprogrammed password or a user-generated means of authentication.

California included some exemptions for entities and business associates covered by the Health Insurance Portability and Accountability Act, as well as “any connected device the functionality of which is subject to security requirements under federal law, regulations or guidance promulgated by a federal agency pursuant to its regulatory enforcement authority.”

Enforcement of the law rests with the state’s attorney general, city attorneys, county counsel and district attorneys. No private right of action was included.

The law enacted in Oregon covers similar territory but has a few key differences. The definition of a connected device covers the same range of gadgets but contains a limitation for devices that are used “primarily for personal, family or household purposes.” And while it also requires the use of “reasonable security features,” the Oregon law attempts to define the term. 

Specifically, “reasonable security features” includes “(a) a means for authentication from outside a local area network, including (1) a preprogrammed password that is unique for each connected device; or (2) a requirement that a user generate a new means of authentication before gaining access to the connected device for the first time; or (b) compliance with requirements of federal law or federal regulations that apply to security measures for connected devices.” A preprogrammed unique password, or the requirement that a new user of the device generate a new means of authentication prior to using the device for the first time, ensures that a smart device won’t have the same default password as everyone else’s device. These features also provide additional security so that an IoT device will be less susceptible to spying or hacking. Given that the estimated number of IoT devices around the world is in the billions, and that people value the convenience of the devices but don’t want to sacrifice privacy, it’s more important than ever that IoT devices be developed with reasonable security features.

Another unique feature of the bill is that a violation will be considered “an unlawful trade practice” under Oregon’s consumer protection law (ORS 646.607), which provides a private right of action.

To read the California law, click here.

Why it matters: Back in January 2015, the Federal Trade Commission (FTC) was the first to jump on the IoT bandwagon, releasing a report1 calling on companies that develop Internet connected devices to take proactive steps to protect consumers’ privacy and keep their data secure. California and Oregon are the first two states to regulate IoT devices, but this is just the beginning, as many more states will seize the opportunity to require that reasonable security measures be taken in the development of products that are capable of Internet connections.

Manufacturers are typically best positioned to comply with these emerging privacy and data security laws by implementing security during the design of IoT devices. In terms of reducing a manufacturer’s risk of legal liability arising out of an IoT product, we recommend that product manufacturers look for ways to enforce their standard website or mobile app terms of service (ToS) or terms of use against consumer IoT product purchasers. Each ToS can include not only clauses that limit the company’s liability, but also arbitration clauses (typically combined with class action waiver language) in an effort to reduce the risk of class action lawsuits for product defects and other potential privacy and data security-related claims that arise from a data security breach. When developing and launching an IoT product, presenting a ToS in a conspicuous manner and obtaining assent to legal terms will be challenging, especially for products that don’t have screens where a consumer can easily review and check a box to agree to a company’s ToS. Also, the issue of downstream IoT product users who don’t agree to the ToS at time of product purchase or setup can raise interesting issues of enforceability if each ultimate user of an IoT product has not assented to the ToS. Manufacturers that are developing IoT products and wish to limit their liability and avoid class action lawsuits are well advised to have their product developers work directly with legal experts who can develop consumer contacting processes that will result in enforceable customer agreements.

1Internet of Things: Privacy & Security in a Connected World,” FTC Staff Report, January 2015 (available at:



pursuant to New York DR 2-101(f)

© 2024 Manatt, Phelps & Phillips, LLP.

All rights reserved